Introduction
Introduction Statistics Contact Development Disclaimer Help
quark-noroot-20191003-3c7049e.diff - sites - public wiki contents of suckless.o…
git clone git://git.suckless.org/sites
Log
Files
Refs
---
quark-noroot-20191003-3c7049e.diff (5193B)
---
1 From d91f68b56a4fd673786e9e4df0088642f3b186ff Mon Sep 17 00:00:00 2001
2 From: codesoap <[email protected]>
3 Date: Thu, 3 Oct 2019 17:00:49 +0200
4 Subject: [PATCH] patch: noroot
5
6 Don't require or allow root to run quark.
7 ---
8 main.c | 50 ++------------------------------------------------
9 quark.1 | 13 +------------
10 sock.c | 7 +------
11 sock.h | 2 +-
12 4 files changed, 5 insertions(+), 67 deletions(-)
13
14 diff --git a/main.c b/main.c
15 index c1ff489..583e343 100644
16 --- a/main.c
17 +++ b/main.c
18 @@ -1,9 +1,7 @@
19 /* See LICENSE file for copyright and license details. */
20 #include <errno.h>
21 -#include <grp.h>
22 #include <limits.h>
23 #include <netinet/in.h>
24 -#include <pwd.h>
25 #include <regex.h>
26 #include <signal.h>
27 #include <sys/resource.h>
28 @@ -163,7 +161,7 @@ err:
29 static void
30 usage(void)
31 {
32 - const char *opts = "[-u user] [-g group] [-n num] [-d dir] [-l]…
33 + const char *opts = "[-n num] [-d dir] [-l] "
34 "[-i file] [-v vhost] ... [-m map] ...";
35
36 die("usage: %s -h host -p port %s\n"
37 @@ -174,8 +172,6 @@ usage(void)
38 int
39 main(int argc, char *argv[])
40 {
41 - struct group *grp = NULL;
42 - struct passwd *pwd = NULL;
43 struct rlimit rlim;
44 struct sockaddr_storage in_sa;
45 pid_t cpid, wpid, spid;
46 @@ -188,8 +184,6 @@ main(int argc, char *argv[])
47 /* defaults */
48 int maxnprocs = 512;
49 char *servedir = ".";
50 - char *user = "nobody";
51 - char *group = "nogroup";
52
53 s.host = s.port = NULL;
54 s.vhost = NULL;
55 @@ -202,9 +196,6 @@ main(int argc, char *argv[])
56 case 'd':
57 servedir = EARGF(usage());
58 break;
59 - case 'g':
60 - group = EARGF(usage());
61 - break;
62 case 'h':
63 s.host = EARGF(usage());
64 break;
65 @@ -241,9 +232,6 @@ main(int argc, char *argv[])
66 case 'U':
67 udsname = EARGF(usage());
68 break;
69 - case 'u':
70 - user = EARGF(usage());
71 - break;
72 case 'v':
73 if (spacetok(EARGF(usage()), tok, 4) || !tok[0] || !tok…
74 !tok[2]) {
75 @@ -291,25 +279,13 @@ main(int argc, char *argv[])
76 die("setrlimit RLIMIT_NPROC:");
77 }
78
79 - /* validate user and group */
80 - errno = 0;
81 - if (user && !(pwd = getpwnam(user))) {
82 - die("getpwnam '%s': %s", user, errno ? strerror(errno) :
83 - "Entry not found");
84 - }
85 - errno = 0;
86 - if (group && !(grp = getgrnam(group))) {
87 - die("getgrnam '%s': %s", group, errno ? strerror(errno)…
88 - "Entry not found");
89 - }
90 -
91 /* Open a new process group */
92 setpgid(0,0);
93
94 handlesignals(sigcleanup);
95
96 /* bind socket */
97 - insock = udsname ? sock_get_uds(udsname, pwd->pw_uid, grp->gr_g…
98 + insock = udsname ? sock_get_uds(udsname) :
99 sock_get_ips(s.host, s.port);
100
101 switch (cpid = fork()) {
102 @@ -329,24 +305,9 @@ main(int argc, char *argv[])
103 eunveil(servedir, "r");
104 eunveil(NULL, NULL);
105
106 - /* chroot */
107 if (chdir(servedir) < 0) {
108 die("chdir '%s':", servedir);
109 }
110 - if (chroot(".") < 0) {
111 - die("chroot .:");
112 - }
113 -
114 - /* drop root */
115 - if (grp && setgroups(1, &(grp->gr_gid)) < 0) {
116 - die("setgroups:");
117 - }
118 - if (grp && setgid(grp->gr_gid) < 0) {
119 - die("setgid:");
120 - }
121 - if (pwd && setuid(pwd->pw_uid) < 0) {
122 - die("setuid:");
123 - }
124
125 if (udsname) {
126 epledge("stdio rpath proc unix", NULL);
127 @@ -354,13 +315,6 @@ main(int argc, char *argv[])
128 epledge("stdio rpath proc inet", NULL);
129 }
130
131 - if (getuid() == 0) {
132 - die("Won't run as root user", argv0);
133 - }
134 - if (getgid() == 0) {
135 - die("Won't run as root group", argv0);
136 - }
137 -
138 /* accept incoming connections */
139 while (1) {
140 in_sa_len = sizeof(in_sa);
141 diff --git a/quark.1 b/quark.1
142 index ce315b5..e45140c 100644
143 --- a/quark.1
144 +++ b/quark.1
145 @@ -35,13 +35,8 @@ is a simple HTTP GET/HEAD-only web server for static …
146 .It Fl d Ar dir
147 Serve
148 .Ar dir
149 -after chrooting into it.
150 +after changing into it.
151 The default is ".".
152 -.It Fl g Ar group
153 -Set group ID when dropping privileges, and in socket mode the group of …
154 -socket file, to the ID of
155 -.Ar group .
156 -The default is "nogroup".
157 .It Fl h Ar host
158 Use
159 .Ar host
160 @@ -86,12 +81,6 @@ redirects on non-standard ports.
161 Create the UNIX-domain socket
162 .Ar file ,
163 listen on it for incoming connections and remove it on exit.
164 -.It Fl u Ar user
165 -Set user ID when dropping privileges,
166 -and in socket mode the user of the socket file,
167 -to the ID of
168 -.Ar user .
169 -The default is "nobody".
170 .It Fl v Ar vhost
171 Add the virtual host specified by
172 .Ar vhost ,
173 diff --git a/sock.c b/sock.c
174 index 7000738..31960c5 100644
175 --- a/sock.c
176 +++ b/sock.c
177 @@ -68,7 +68,7 @@ sock_rem_uds(const char *udsname)
178 }
179
180 int
181 -sock_get_uds(const char *udsname, uid_t uid, gid_t gid)
182 +sock_get_uds(const char *udsname)
183 {
184 struct sockaddr_un addr = {
185 .sun_family = AF_UNIX,
186 @@ -99,11 +99,6 @@ sock_get_uds(const char *udsname, uid_t uid, gid_t gi…
187 die("chmod:");
188 }
189
190 - if (chown(udsname, uid, gid) < 0) {
191 - sock_rem_uds(udsname);
192 - die("chown:");
193 - }
194 -
195 return insock;
196 }
197
198 diff --git a/sock.h b/sock.h
199 index a39aec9..4f790f6 100644
200 --- a/sock.h
201 +++ b/sock.h
202 @@ -8,7 +8,7 @@
203
204 int sock_get_ips(const char *, const char *);
205 void sock_rem_uds(const char *);
206 -int sock_get_uds(const char *, uid_t, gid_t);
207 +int sock_get_uds(const char *);
208 int sock_set_timeout(int, int);
209 int sock_get_inaddr_str(struct sockaddr_storage *, char *, size_t);
210
211 --
212 2.21.0
213
You are viewing proxied material from suckless.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.